You need to put a jmp instruction to jump back to your shellcode (which should be located after the return address). Try something like this: [NOPs][Shellcode][Padding (ebp, local vars, etc.)][Return address = pointer to a JMP ESP][jmp 0-padding-shellcode_len-5] Note the first thing your shellcode should do is add esp, 0xffffeff0 (which is the same as subtracting esp by ~4K) so that when you push stuff onto the stack you're not corrupting your shellcode Matt On Mon, 22 Apr 2003 chaboyd77at_private wrote: > > > I'm practicing developing Windows Buffer Overflows and > have run into a slight snag. When I overwrite EIP with > the address of "jmp ESP" I land below my shellcode instead > of where the top of the stack used to be: > > <-----------400 bytes--------> > [NOP's........Shellcode...EIP..*<-code jumps here**] > > This didn't seem right but I figured that I'd use an > offset from ESP to hop back to my shellcode. > > xor eax,eax > xor ebp,ebp > mov ebp,esp > mov eax,ebp - 190H > jump eax > > What I'm trying is loading esp into ebp and then moving > that value into eax followed by a jump eax. Tried straight > from esp to eax but figured out that wasn't allowed. I know > that the .printer exploit(jill.c) does something similar (uses > eax and ebx to make the jump). Any ideas? > Thanks, > Dave >
This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 12:53:50 PDT